Zeus

Virus Programming – Zeus Trojan

Introduction
Zeus is a Trojan horse that steals banking information by keystroke logging and Form
Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes.

Zeus, also known as Zbot, is a malware package that is readily available for sale and also
traded in underground forums. The package contains a builder that can generate a bot
executable and Web server files (PHP, images, SQL templates) for use as the command and
control server. While Zbot is a generic back door that allows full control by an unauthorized
remote user, the primary function of Zbot is financial gain—stealing online credentials such
as FTP, email, online banking, and other online passwords.

Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials,
among other things. It is the handiwork of Eastern European organized criminals that has
now entered the underground cybercriminal market as a commodity.

Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USD
for the newest version with all available features and can also be found freely traded as well.
The bot can be found worldwide and thus remains consistently prevalent in compromising
unprotected computers.

In short, Zeus is two things:

• From a technical perspective, it is a crimeware tool primarily used to steal money.

• From another perspective, it signals a new wave in online criminal business enterprise
wherein many different organizations cooperate with one another to perpetrate outright online
theft and fraud.

1


Technical Facts
The technical aspect of Zeus is really not that complicated, at least from a functional
perspective. It does use a complex encryption technique but explaining its functionality is
pretty simple. It has the three components:

1. Zeus Trojan

2. Zeus configuration file (config)

3. Zeus drop zone where stolen credentials are sent

The Zeus botnet uses several delivery methods in the first stage—the Trojan.

Once the Zeus Trojan is executed, it downloads its configuration file from a predetermined
location then waits for the victim to log in to a particular target that its configfile has defined,
which usually comprises a selection of banks, their login URLs, and the like.

Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grab
variables from a browser session such as an online banking session. This makes Zeus
especially dangerous because it also has the ability to inject additional form fields into a
legitimate Web session. Injecting these additional fields can fraudulently urge victims to
surrender more information than they would normally be required to in a session, for
instance, with their banks.

Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediately
relays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM).
This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟
accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions.

This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft.

2


How it works?
Because Zbot is a package that is readily available, vectors of infection vary widely, with
popular methods including drive-by download and SPAM. SPAM runs of Zbot are a regular
occurrence using social engineering tactics, impersonating organizations such as the FDIC,
IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page.
Once the bot is executed, the following actions take place:

It copies itself to %system32%sdra64.exe.

It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTwinlogonuserinit, so that winlogon.exe spawns the process at startup time.

It looks for winlogon.exe, increases its privileges, injects its code and a string table into this
process, and creates a thread to execute this code.

The main bot executable terminates

The injected code in winlogon injects additional code into svchost.exe.

It also creates a folder named %System%lowsec and puts two files inside: local.ds and
user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds
contains stolen credentials and other information to be transmitted to the server.

The code inside svchost is responsible for network communication and third-party process
injection required to hook Internet-related APIs in order to inject or steal information to/from
banking sites

The communication between these various injected components is done with mutexes and
pipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe,
x=2108 in svchost.exe).

If Zeus is run using an account that does not have Administrator privileges, code will not be
injected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the
%System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe,
and create the folder %UserProfile%Application Datalowsec.

Finally, the bot will create a load point under the registry key
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=”
%UserProfile%Application Datasdra64.exe”.

3


Functionality

The main purpose of Zeus is to steal online credentials as specified by the hacker. Zeus
performs four main actions:
Gathering system information.
Stealing protected storage information, FTP passwords, and POP3 passwords.
Stealing online credential information as specified by a configuration file.
Contacting the command and control server for additional tasks to perform.

System Information Gathering
By default Zeus will automatically gather a variety of system information and send this
information to the command and control server. This information includes:
A unique bot identification string
Name of the botnet
Version of the bot
Operating system version
Operating system language
Local time of the compromised computer
Uptime of the bot
Last report time
Country of the compromised computer
IP address of the compromised computer
Process names

Credential Stealing
Zeus‟ main purpose is to steal online credentials and does so in two manners—by automatic
actions hardcoded in the binary and also using configuration files that are included in the
Zeus binary, but also downloadable from the command and control server.
After Zeus is executed, it will automatically steal information stored in the PSTORE
(Protected Storage), which usually contains saved Internet Explorer passwords and also
automatically captures any FTP or POP3 (email) passwords that are sent across the network
in the clear.
However, Zeus‟ most effective means of financial gain is controlled via a configuration file
modified by the distributor of the Trojan. This configuration file specifies actions to perform
once Zeus is installed and is updatable via the command and control server.

Web Page Injection
Many online banking and other Web sites that require credentials have evolved to evade
standard keystroke logging or network-sniffing attacks. Thus, many credential-stealing
threats now utilize HTML injection techniques to obtain credential information. In particular,
these threats inject additional HTML into legitimate pages that cause the user to input
credential information not actually required by the financial Web site or HTML content that

4


defeats client-side security techniques, such as hashing credentials before they are sent over
the wire.
Sample Web injections are provided in the Zeus package and are defined in the configuration
file.
Below is an example of injection configuration block:

set_urlhttp://www.[REMOVED].com/contact.php

data_before

name=‟email‟*</tr>

data_end

data_inject

<tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr>

data_end

data_after

data_end

On any Web page matching the URL http://www.[REMOVED].com/content.php, the HTML
defined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Before
the injection, the targeted form on the Web page looks like figure1. After the injection, looks
like figure2. When the form is sent, the Zeus will intercept the content of the form including
the PIN number and send this information to the command and control server, as shown in
figure.
The syntax also allows for HTML to be replaced rather than just added by also specifying the
„data_after‟ field. When this field is specified, then the HTML specified by data_inject will
replace the HTML content between „data_before‟ and „data_after‟. Replacement HTML is
usually used to modify or hijack JavaScript that is used for client side security purposes. For
example, many online banking sites with increased security will hash the credentials before
sending the credentials over the wire. This JavaScript routine used for hashing will be
hijacked to also preserve the plaintext credentials and send them using non-visible form
fields, which will then be intercepted and sent to the command and control servers.

Web page before injection :-

5


Web page after injection :-

Zeus Infection Chain
The following figure shows how a typical Zeus infection takes place.

6


Conclusion
Zeus provides a ready-to-deploy package for hackers to distribute their own botnet. The
botnet is easily purchased and also freely traded online and continues to be updated to
provide new features and functionality. The ease-of-use of Zeus means the Zeus bot is used
widely and is highly prevalent, allowing the most novice hackers to easily steal online
banking credentials and other online credentials for financial gain.

7

Zeus

More Related Content

What's hot

Viewers also liked

Similar to Zeus

Recently uploaded

Zeus